In our March 9th blog, we talked about how hackers were using the coronavirus to phish end users into giving up sensitive information or click on malware. As coronavirus keeps on spreading, so do the different types of malware attacks that security experts are seeing.
A recent Business Insider article claims that hackers are using fake coronavirus maps to trick people into downloading malware. According to findings from cybersecurity firm Reason Labs, hackers are spreading malicious sites disguised as reliable coronavirus maps. It starts with hackers circulating links to malicious websites disguised as coronavirus maps, either on social media or through misleading emails. When people open the sites, they're directed to open an applet that can infect their device with AZORult, a years-old malware that steals data like login credentials and banking info. Reason Labs researcher Shai Alfasi wrote, "We will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future." Security experts advise people to stick to verified coronavirus tracking maps and to double check the URL of linked website before clicking.
Cointelegraph has also published an article about an android app that downloads ransomware onto your mobile device. The article says cybersecurity threat researchers, DomainTools, have identified that the website coronavirusapp.site facilitates the installation of a new ransomware called “CovidLock.” The website prompts visitors to install an Android application that purportedly tracks updates regarding the spread of COVID-19, claiming to notify users when an individual infected with coronavirus is in their vicinity using heatmap visuals. Even though the app appears to display certification from the World Health Organization and the Centers for Disease Control and Prevention, the website is a conduit for the ‘CovidLock’ ransomware — which launches a screen lock attack on unsuspecting users. Once installed, CovidLock alters the lock screen on the infected device and demands a payment of $100 in Bitcoin in exchange for the key that will unlock the screen and return control of the device to the owner. If a victim does not pay the ransom within 48 hours, CovidLock threatens to erase all the files that are stored on the phone. Thankfully DomainTools claims to have reversed engineered the decryption keys for CovidLock. They say they will publicly post the key “soon.”
To avoid being scammed by hackers, check that the links are to reputable organizations such as WHO. If being sent links in an email, don’t blindly follow them. It is estimated that over 50% of coronavirus-themed domains more likely to be a front for malicious actors. Organizational leaders are well advised to warn staff to be wary of clicking on links about coronavirus. If you haven't discussed it with your teams yet, now is a good time to talk about phishing awareness.